CVE-2026-46605

NameCVE-2026-46605
DescriptionIncomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
activemq (PTS)bullseye5.16.1-1vulnerable
bullseye (security)5.16.1-1+deb11u2vulnerable
bookworm, bookworm (security)5.17.2+dfsg-2+deb12u1vulnerable
sid, trixie5.17.6+dfsg-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
activemqsource(unstable)(unfixed)

Notes

https://www.openwall.com/lists/oss-security/2026/05/31/20
Search for package or bug name: Reporting problems